Mattie
December 3, 2013, 3:07pm
1
Hi,
I’m having trouble getting hairpin NAT to work on my RB2011UAS-2HnD-IN (version 6.5)
I currently have this NAT settings:
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 / 1 -> disabled rules
2 ;;; masquerade
chain=srcnat action=masquerade out-interface=ether1-gateway
4 ;;; Hairpin NAT rule
chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.1.250
5 ;;; SERV: FTP (this is a normal nat rule that works fine)
chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=20-21 protocol=tcp in-interface=ether1-gateway dst-port=20-21
The best option for me would something line this
request to external IP
router parses request, checks NAT rules to see what IP to forward and relays packet to that IP
However as far as I understand i need to add a special NAT rule for EVERY devices (the most rules go to 192.168.1.250) so that would be fine as well.
Thanks for any advice!
Joe1vm
December 3, 2013, 8:30pm
2
Hi Mattie,
I think, you may want to check http://wiki.mikrotik.com/wiki/Hairpin_NAT carefully together with highlighted rule. I would say, that the traffic from LAN will hardly achieve enther1-gateway as in-interface - this I would expect to work from outside only. But maybe I am wrong…
Regards
ROS v6.7 fixed my hairpin nat issues too … update.
Mattie
December 5, 2013, 11:05am
4
Hi,
Even when i update to 6.7 i still don’t get it to work. Can you share your NAT rule?
Mattie
December 5, 2013, 12:26pm
5
Hi,
Even when i update to 6.7 i still don’t get it to work. Can you share your NAT rule?
edit:
it works when i reboot my router!
However i now have the following problem:
I want all traffic to my external IP just to go back intern. so i added the following rule:
3 ;;; Hairpin NAT rule
chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.1.0/24
However when i use the following:
4 ;;; SERV: FTP
chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=80 protocol=tcp in-interface=ether1-gateway dst-port=80
It doesn’t work, so i remove the “in-interface” :
4 ;;; SERV: FTP
chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=80 protocol=tcp dst-port=80
But: now al my outgoing internet traffic is transferred to my server!
So now i make this rule (where 1.1.1.1 is my external IP):
5 ;;; SERV: HTTP
chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=80 protocol=tcp dst-address=1.1.1.1 dst-port=80
But: i have a dynamic IP so i don’t want to change it all the time.
How can I forward all packets to my EXTERNAL ip with origin my internal network “back” into the network without having to set my external dynamic IP ?
I’m a beginner but hairpin nat worksfor me on my RB2011 with an out interface, not a dst-address. I’m sending local traffic (192.168.1.0/24) to the local bridge.
6 ;;; Hairpin NAT